ClawHub

X Twitter Scraper

v1.0.1

Use when the user needs to interact with X (Twitter) — searching tweets, looking up users/followers, posting tweets/replies, liking, retweeting, following/un...

0· 68·0 current·0 all-time
by@xquik
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth tokenPosts externally
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (interacting with X) align with required env var (XQUIK_API_KEY), the SKILL.md and reference files document the Xquik REST/MCP APIs and related endpoints, and no unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs the agent to call the Xquik API, use MCP tools, and (optionally) implement webhook handlers; it does not instruct the agent to read unrelated files, harvest system secrets, or exfiltrate data outside the documented first‑party endpoints. Webhook example code references an optional per-webhook secret (XQUIK_WEBHOOK_SECRET) consistent with the documented flow.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk — lowest-risk install posture.
Credentials
Only XQUIK_API_KEY is required (primary credential); an optional XQUIK_WEBHOOK_SECRET is declared for webhook handlers. No unrelated tokens, cloud creds, or filesystem config paths are requested.
Persistence & Privilege
always:false (not force-included) and model invocation is allowed (normal). The skill does not request elevated platform privileges or modify other skills' configs.
Assessment
This skill appears coherent for interacting with the Xquik X/Twitter API, but review a few practical items before installing: 1) Verify the provider and docs (https://docs.xquik.com) — the skill's Source is unknown and the included metadata/version strings differ (registry shows 1.0.1 while SKILL.md/metadata reference 2.2.1); confirm you trust the publisher. 2) Use a scoped, revocable API key (not a broad account key) and never commit it to source control. 3) Review billing/rate limits carefully: many bulk extraction and write operations are metered and can incur costs. 4) Be mindful of privacy: extractions, DM access, and exports can contain sensitive user data — ensure you have legal/ethical authorization to collect or store it. 5) If you enable webhooks, store the per-webhook secret securely and verify HMAC signatures as shown. 6) If you need higher assurance, ask the publisher for a canonical package source, contact info, or a reproducible release (e.g., GitHub release) to confirm authenticity.

Like a lobster shell, security has layers — review code before you run it.

latestvk9777y117nd8n4hbsxvx7mkprx84r5pw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

𝕏 Clawdis
EnvXQUIK_API_KEY
Primary envXQUIK_API_KEY

Comments